what you don't know can hurt you

Confluence Wiki 4.1.4 Cross Site Scripting

Confluence Wiki 4.1.4 Cross Site Scripting
Posted Sep 15, 2012
Authored by INTREST SEC

Confluence Wiki versions 3.5.9, 4.0.3, and 4.1.4 suffer from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | 18385f05924c77ef5e1d58598146fb29

Confluence Wiki 4.1.4 Cross Site Scripting

Change Mirror Download
-------------------------------
INTREST SEC | Security Advisory
-------------------------------


Product: Confluence Wiki
Vendor: Atlassian (www.atlassian.com)
Vulnerability Type: Cross Site Scripting (XSS)
Risk Level: High (classified by vendor)
Discovered by: INTREST SEC - NID
Public Diclosure: 2012/09/12
Vendor Notification: 2012/02/07
Tested Versions: 3.5.9, 4.0.3, 4.1.4
CVSS Score: 7.5


## Details

Atlassian Confluence is described as "Collaboration tool for teams to
create, share, and discuss rich content - docs, files, ideas, specs,
diagrams, mockups, anything". (www.atlassian.com)


## Description

A security vulnerability within Atlassian Confluence Wiki has been
identified. It is remotely exploitable and based on the CWE-79 family
Cross-Site-Scripting (XSS). Confluence allows input passed in the URL to
be injected into the HTML structure of an error-page in an unsafe and
unsanitized way. Therefore it is possible to inject nonpersistent
JavasScript code. This vulnerability does not require authentication of
the victim and can easily be exploited by manipulating the GET request.


## Proof of Concept

The following URL triggers the XSS by including <IFRAME
SRC="javascript:alert('XSS')"> into the error page:

http://localhost:8090/pages/includes/
status-list-mo%3CIFRAME%20SRC%3D%22javascript%3Aalert%28%27XSS%27%29%22%3E.vm


## Solution

According to the vendor, upgrade to Confluence 4.1.9 or later.


## References

[1] Atlassian Security Advisory
https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-09-11


## Time Table

[2012/02/07] Informed vendor about the vulnerability via ticketing system
[2012/02/08] Informed vendor that Atlassian JIRA (at least 4.4.3 and
4.4.4) is also infected
[2012/02/09] Vendor created a ticket for JIRA vulnerability
[2012/02/09] Vendor response: JIRA problem already known. "The fix
should be available in JIRA 5.0 or 5.0.1"
[2012/03/21] Vendor tagged ticket as fixed.
[2012/04/02] Asked vendor about things like patch release date,
requesting a CVE number, releasing an advisory
[2012/04/03] Vendor response: No dedicated Patch; Version 4.1.9 has been
released; no CVE will requested by vendor
[2012/08/27] Vendor defined advisory release date to 2012/09/11
[2012/08/27] Informed vendor about additional advisory release through
INTREST SEC
[2012/09/11] Vendor released advisory
[2012/09/13] INTREST SEC released advisory


--

INTREST SEC
Intelligent Information Security
-----------------------------------------------------------------------
Kommunalstrasse 15 - A-4020 Linz - Austria
Tel. +43 (0) 732 / 341 060
Fax. +43 (0) 732 / 341 060 - 20
researchlab [at] intrest.at | www.intrest-sec.com
-----------------------------------------------------------------------






Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    11 Files
  • 21
    May 21st
    21 Files
  • 22
    May 22nd
    20 Files
  • 23
    May 23rd
    36 Files
  • 24
    May 24th
    2 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close